On 08.05.2018 14:03, peter.b...@bsd4all.org wrote: > Hi Victor, > > I’m struggling wit the same issue. My sainfo doesn’t match unless I > use anonymous. > > Hi Andrey, > > What I don’t understand is why a “catchall” policy is added instead > of the policy that matches the inner tunnel.
This is because the how IPsec works in BSD network stack. In simple words - outbound traffic is matched by security policy, inbound is matched by security association. When a packet is going to be send from a host, the kernel checks security policies for match. If it is matched, a packet goes into IPsec processing. Then IPsec code using given security policy does lookup for matched security association. And some IPsec transform happens. When a host receives a packet, it handled by network stack first. And if it has corresponding IPsec inner protocol (ESP, AH), it will be handled by IPsec code. A packet has embedded SPI, it is used for security association lookup. If corresponding SA is found, the IPsec code will apply revers IPsec transform to the packet. Then the kernel checks, that there is some security policy for that packet. Now how if_ipsec(4) works. Security policies associated with interface have configured requirements for tunnel mode with configured addresses. Interfaces are designed for route based VPN, and when a packet is going to be send through if_ipsec interface, its "output" routine uses security policy associated with interface and with configured "reqid". If there are no SAs configured with given reqid, the IPsec code will send ACQUIRE message to IKE and it should install SAs, that will be used for IPsec transforms. When a host receives a packet, it handled by network stack, then by IPsec code and when reverse transform is finished, IPsec code checks, if packet was matched by tunnel mode SA it will be checked by if_ipsec input routine. If addresses and reqid from SA matched to if_ipsec configuration, it will be taken by if_ipsec interface. > What is supposed to happen here? Is the IKE daemon supposed to update > the policy once started. In my understanding IKE is only supposed to install SAs for if_ipsec. It can't change these policies, because they are immutable. I think for proper support of several if_ipsec interfaces racoon needs some patches. But I have not spare time to do this job. I recommend to use strongswan, it has active developers that are responsive and may give some help at least. There was the link with example, but it also uses only one interface: https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature